Technique on mitre.org

T1218.010: Regsvr32

Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft.

Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. This variation of the technique is often referred to as a "Squiblydoo" and has been used in campaigns targeting governments.

Regsvr32.exe can also be leveraged to register a COM Object used to establish persistence via Component Object Model Hijacking.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_defense_evasion: PT-CR-946: Suspicious_Execution_Via_Regsvr32: An attempt to bypass application-start restrictions by using regsvr32.exe (a built-in Microsoft Windows utility used for DDL registration) mitre_attck_defense_evasion: PT-CR-650: Suspicious_File_Created_By_Legal_Process: Detects creation of suspicious files by legitimate processes mitre_attck_defense_evasion: PT-CR-198: Regsvr32_AWL_Bypass: An attempt to bypass application-start restrictions by using regsvr32.exe (a built-in Microsoft Windows utility used for DDL registration) hacking_tools: PT-CR-357: Koadic_REGSVR32_Stager: Possible use of the Koadic software with Regsvr32 is detected

Detection

ID	DS0011	Data source and component	Module: Module Load	Description	Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. Note: This looks for unsigned images that may be loaded by regsvr32, while attempting to eliminate false positives stemming from Windows/Program Files binaries. Analytic 5 - Loading Unsigned Images `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="7") (Image="C:\Windows\System32\regsvr32.exe" OR Image="C:\Windows\SysWOW64\regsvr32.exe") Signed=false ImageLoaded!="C:\Program Files" ImageLoaded!="C:\Windows\*"\|stats values(ComputerName) as "Computer Name" count(ImageLoaded) as ImageLoadedCount by ImageLoaded`

ID	DS0017	Data source and component	Command: Command Execution	Description	Command arguments used before and after the regsvr32.exe invocation may also be useful in determining the origin and purpose of the script or DLL being loaded.

ID	DS0029	Data source and component	Network Traffic: Network Connection Creation	Description	Monitor for newly constructed network connections that are sent or received by untrusted hosts.

ID	DS0009	Data source and component	Process: Process Creation	Description	Use process monitoring to monitor the execution and arguments of regsvr32.exe. Compare recent invocations of regsvr32.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). Analytic 1 is a more generic analytic that looks for suspicious usage of regsvr32.exe, specifically for cases where regsvr32.exe creates child processes that aren’t itself. It’s not likely that this will result in millions of hits, but it does occur during benign activity so some form of baselining would be necessary for this to be useful as an alerting analytic. Analytic 2 is around “Squiblydoo”, which is a specific usage of regsvr32.exe to load a COM scriptlet directly from the internet and execute it in a way that bypasses application whitelisting. It looks for regsvr32.exe process creation events that load scrobj.dll via the command-line (which executes the COM scriptlet). Analytic 3 This uses the same logic as above, but adds lightweight baselining by ignoring all results that also showed up in the previous 30 days (it runs over 1 day). Analytic 4 This looks for child processes that may be spawend by regsvr32, while attempting to eliminate some of the common false positives such as werfault (Windows Error Reporting). Analytic 1 - Generic Regsvr32 `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") regsvr32.exe \| search ParentImage="regsvr32.exe" AND Image!="regsvr32.exe"` Analytic 2 - Squiblydoo `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") regsvr32.exe scrobj.dll \| search Image="regsvr32.exe"` Analyt 3 - New Items since last month `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") earliest=-d@d latest=now() regsvr32.exe \| search ParentImage="regsvr32.exe" AND Image!="regsvr32.exe" \| search NOT [ search (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") earliest=-60d@d latest=-30d@d regsvr32.exe \| search ParentImage="regsvr32.exe" AND Image!="regsvr32.exe" \| dedup CommandLine \| fields CommandLine ]` Analytic 4 - Spawning Child Processes (source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") (ParentImage="C:\Windows\System32\regsvr32.exe" OR ParentImage="C:\Windows\SysWOW64\regsvr32.exe") AND Image!="C:\Windows\System32\regsvr32.exe" AND Image!="C:\Windows\SysWOW64\regsvr32.exe" AND Image!="C:\WINDOWS\System32\regsvr32.exe" AND Image!="C:\WINDOWS\SysWOW64\regsvr32.exe" AND Image!="C:\Windows\SysWOW64\WerFault.exe" AND Image!="C:\Windows\System32\wevtutil.exe" AND Image!="C:\Windows\System32\WerFault.exe"\|stats values(ComputerName) as "Computer Name" values(ParentCommandLine) as "Parent Command Line" count(Image) as ImageCount by Image

ID	Data source and component	Description
DS0011	Module: Module Load	Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. Note: This looks for unsigned images that may be loaded by regsvr32, while attempting to eliminate false positives stemming from Windows/Program Files binaries. Analytic 5 - Loading Unsigned Images `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="7") (Image="C:\Windows\System32\regsvr32.exe" OR Image="C:\Windows\SysWOW64\regsvr32.exe") Signed=false ImageLoaded!="C:\Program Files" ImageLoaded!="C:\Windows\*"\|stats values(ComputerName) as "Computer Name" count(ImageLoaded) as ImageLoadedCount by ImageLoaded`
DS0017	Command: Command Execution	Command arguments used before and after the regsvr32.exe invocation may also be useful in determining the origin and purpose of the script or DLL being loaded.
DS0029	Network Traffic: Network Connection Creation	Monitor for newly constructed network connections that are sent or received by untrusted hosts.
DS0009	Process: Process Creation	Use process monitoring to monitor the execution and arguments of regsvr32.exe. Compare recent invocations of regsvr32.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). Analytic 1 is a more generic analytic that looks for suspicious usage of regsvr32.exe, specifically for cases where regsvr32.exe creates child processes that aren’t itself. It’s not likely that this will result in millions of hits, but it does occur during benign activity so some form of baselining would be necessary for this to be useful as an alerting analytic. Analytic 2 is around “Squiblydoo”, which is a specific usage of regsvr32.exe to load a COM scriptlet directly from the internet and execute it in a way that bypasses application whitelisting. It looks for regsvr32.exe process creation events that load scrobj.dll via the command-line (which executes the COM scriptlet). Analytic 3 This uses the same logic as above, but adds lightweight baselining by ignoring all results that also showed up in the previous 30 days (it runs over 1 day). Analytic 4 This looks for child processes that may be spawend by regsvr32, while attempting to eliminate some of the common false positives such as werfault (Windows Error Reporting). Analytic 1 - Generic Regsvr32 `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") regsvr32.exe \| search ParentImage="regsvr32.exe" AND Image!="regsvr32.exe"` Analytic 2 - Squiblydoo `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") regsvr32.exe scrobj.dll \| search Image="regsvr32.exe"` Analyt 3 - New Items since last month `(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") earliest=-d@d latest=now() regsvr32.exe \| search ParentImage="regsvr32.exe" AND Image!="regsvr32.exe" \| search NOT [ search (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") earliest=-60d@d latest=-30d@d regsvr32.exe \| search ParentImage="regsvr32.exe" AND Image!="regsvr32.exe" \| dedup CommandLine \| fields CommandLine ]` Analytic 4 - Spawning Child Processes (source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") (ParentImage="C:\Windows\System32\regsvr32.exe" OR ParentImage="C:\Windows\SysWOW64\regsvr32.exe") AND Image!="C:\Windows\System32\regsvr32.exe" AND Image!="C:\Windows\SysWOW64\regsvr32.exe" AND Image!="C:\WINDOWS\System32\regsvr32.exe" AND Image!="C:\WINDOWS\SysWOW64\regsvr32.exe" AND Image!="C:\Windows\SysWOW64\WerFault.exe" AND Image!="C:\Windows\System32\wevtutil.exe" AND Image!="C:\Windows\System32\WerFault.exe"\|stats values(ComputerName) as "Computer Name" values(ParentCommandLine) as "Parent Command Line" count(Image) as ImageCount by Image

Mitigation

ID	M1050	Name	Exploit Protection	Description	Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block regsvr32.exe from being used to bypass application control. Identify and block potentially malicious software executed through regsvr32 functionality by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.

ID	Name	Description
M1050	Exploit Protection	Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block regsvr32.exe from being used to bypass application control. Identify and block potentially malicious software executed through regsvr32 functionality by using application control tools, like Windows Defender Application Control, AppLocker, or Software Restriction Policies where appropriate.